Deploy A Secured Cognos 8 Servlet Gateway In WebSphere 6
Tip or TechniqueDeploying a secured IBM Cognos8 Servlet Gateway in IBMWebSphere 6Product(s): IBM Cognos 8 BI, IBM WebSphereArea of Interest: Security, Infrastructure
Deploying a secured IBM Cognos 8 Servlet Gateway in IBM WebSphere 62CopyrightCopyright 2008 Cognos ULC (formerly Cognos Incorporated). Cognos ULCis an IBM Company. While every attempt has been made to ensure that theinformation in this document is accurate and complete, some typographicalerrors or technical inaccuracies may exist. Cognos does not acceptresponsibility for any kind of loss resulting from the use of informationcontained in this document. This document shows the publication date. Theinformation contained in this document is subject to change without notice.Any improvements or changes to the information contained in this documentwill be documented in subsequent editions. This document containsproprietary information of Cognos. All rights are reserved. No part of thisdocument may be copied, photocopied, reproduced, stored in a retrievalsystem, transmitted in any form or by any means, or translated into anotherlanguage without the prior written consent of Cognos. Cognos and theCognos logo are trademarks of Cognos ULC (formerly Cognos Incorporated)in the United States and/or other countries. IBM and the IBM logo aretrademarks of International Business Machines Corporation in the UnitedStates, or other countries, or both. All other names are trademarks orregistered trademarks of their respective companies. Information aboutCognos products can be found at www.cognos.comThis document is maintained by the Best Practices, Product and Technologyteam. You can send comments, suggestions, and additions tocscogpp@ca.ibm.com .Cognos Proprietary Information
Deploying a secured IBM Cognos 8 Servlet Gateway in IBM WebSphere 63Contents1INTRODUCTION . 41.11.21.3PURPOSE .4APPLICABILITY .4EXCLUSIONS AND EXCEPTIONS .42PREFACE AND BACKGROUND . 52.12.22.32.4SERVLET GATEWAY – USE CASES .5WHY NOT SECURING P2PD .6SSO BETWEEN APPLICATION SERVER SECURITY AND COGNOS 8 .7SSO BETWEEN A 3RD PARTY PORTAL AND COGNOS 8 .73DEPLOY A SECURED SERVLET GATEWAY. 93.13.23.33.43.5PREPARE THE BUILD PROCESS .9BUILD THE APPLICATION FILE . 12DEPLOY THE SERVLET GATEWAY . 14RETSTART WEBSPHERE. 19TEST THE SERVLET GATEWAY . 21APPENDIX A - ENABLE WAS SECURITY. 22APPENDIX B – SECURE A SERVLET GATEWAY EAR FILE USING AST . 29Cognos Proprietary Information
Deploying a secured IBM Cognos 8 Servlet Gateway in IBM WebSphere 641 Introduction1.1PurposeThis document describes the necessary steps to deploy an IBM Cognos 8Servlet Gateway (SGW) to IBM WebSphere application server and secure it byWebSphere security.This is desirable whenever the goal is to achieve single signon betweenWebSphere security and IBM Cognos 8 directly or - more common – forsingle signon between IBM WebSphere Portal and IBM Cognos 8.1.2ApplicabilityWhile for creation of this document IBM Cognos 8 BI MR2 and IBMWebSphere 6.0.2 were used the technique described in here applies to allversions of IBM Cognos 8. IBM WebSphere version 5.1 looks a bit differentbut basically the same steps apply as well.While other application servers may handle things different, the modificationsto files shown here apply for any application server to which is deployed to.The operating system on which this is done does not impact the techniquepresented here.1.3Exclusions and ExceptionsWe will not touch on details about how to setup IBM WebSphere or parallelinstances of WebSphere server. For information about setting this up refer toIBM WebSphere documentation.Further on, mind that it is impossible to deploy a Servlet Gateway into thesame WebSphere server instance as IBM Cognos 8 BI or IBM CognosReportNet. Because of classloader collisions both can’t coexist so a ServletGateway (SGW) must be deployed in a separate WebSphere server instance!We assume that the WebSphere instance being deployed to is securityenabled (“global security” is enabled and a user registry is set up).Appendix A provides some quick guide on how to enable WebSphere security.Cognos Proprietary Information
Deploying a secured IBM Cognos 8 Servlet Gateway in IBM WebSphere 652 Preface and backgroundThis section will give some background on what’s done and why to deploy aServlet Gateway in a secured manner. The impatient may skip to “Caution:you cannot deploy the SGW into the same server instance as p2pdapplication. You will experience classloader issues which are a result of IBMCognos 8 not being completely J2EE compliant. This is not an issue but bydesign.To deploy a Servlet Gateway it is mandatory to use a server instance whereno p2pd application is deployed.The rundown of steps is1. Prepare the build processFirst the Servlet Gateway web application, an EAR or WAR file, needsto be build. There are some preparations to take to build theapplication file in the right fashion.2. Build the actual application file3. deploy the application file to WebSphereIn the following sections bullet-point style instructions on the steps areprovidedPrepare the build process”2.1Servlet Gateway – use casesThe Servlet Gateway is less commonly used compared to CGI or the webserver specific implementations like ISAPI or MOD/MOD2. However it’sneeded sometimes in more complex scenarios to achieve single sign-on(SSO). This is because this gateway implementation is a Servlet, like the“p2pd” application which constitutes IBM Cognos 8 contains two Servlets(Content Manager and Dispatcher) and thus needs to be deployed to a javaapplication server like IBM WebSphere, BEA Weblogic or others.Since every application server offers its own security system the Servlets canbe put under the umbrella of this application server security so that userstrying to access these Servlets need to authenticate with the applicationserver before their requests get served. In SSO scenarios IBM Cognos 8 willthen leverage the authentication information available at the applicationserver level which is passed to IBM Cognos 8’s security and thus SSO cantake place.Typical use cases for this can be classified in two categories SSO between application server security and IBM Cognos 8 SSO between a 3rd party portal and IBM Cognos 8Cognos Proprietary Information
Deploying a secured IBM Cognos 8 Servlet Gateway in IBM WebSphere 662.2Why not securing P2PDThe skilled reader will pose the question on why not secure the p2pdapplication directly then since it consists of Servlets as well.Based on experience of many deployments here’s an explanation on whyusing a Servlet Gateway is considered to be best practice in those cases.IBM Cognos 8 architecture knows three tiers: Gateway, application server tiercomponents and Content Manager.Technically the Gateway could be seen as just a proxy interface to the logicalconstruct of the BiBus on which all components sit. However, the Gatewayoffers many added values and is functionally most complete when it comes tohandling SSO scenarios, authentication handshakes in general and servingstatic webcontent. In addition its performance is better compared to a multipurpose dispatcher which could take over as a logical Gateway. This is true inparticular when using web servers where a mod/mod2 gateway deliverssuperior performance.So a Gateway is a good thing to use at all. When it comes to SSO scenariosincluding application servers though, the Servlet Gateway is the only Gatewaywhich is feasible. Opposed to hitting the Dispatcher directly, which is neverthe less valid and supported, the SGW can be separated to a differentinstance of an application server and hence separate the load for servingportal navigation and static content from the main application server. This issimilar to classic three tier architectures including a web server for thispurpose.There are some rare scenarios, where a “routing dispatcher”, an applicationserver tier gateway install which solely runs the dispatcher service mightlook like valid alternative. This refers to setups which facilitate applicationserver plug-ins which route requests to dispatchers directly. But still theargument about the load applies. The decision about either using a ServletGateway or a routing Dispatcher is to be discussed in detail and depends onmany factors which are specific to the setup. As of IBM Cognos 8 MR2 thereare fewer issues being discovered about SSO with Gateways than withDispatcher in general.To sum it up, securing p2pd application itself by application server security isa valid option but bear in mind that you use a dispatcher as a Gateway andhence add the load for static content like Portal navigation and other stuff tothe dispatching load. In addition, securing p2pd is slightly more complicatedand can cause issues in multi node systems and for SDK access if screwedup.Generally speaking, using a Gateway is considered a best practice as it is thecomponent designed for this purpose and hence is functionally most completeand robust.Cognos Proprietary Information
Deploying a secured IBM Cognos 8 Servlet Gateway in IBM WebSphere 672.3SSO between application server security and IBM Cognos 8 BIWhile this scenario is less frequent it may appear in enterprise deploymentswhere the company policies involve security being established at theapplication server level. The principal technique used is similar for allapplication servers independent of its vendor. Once a user is authenticated bythe application server security his identity, in java terms the “principal”, is putinto some java specific environment variable called USER PRINCIPAL. Coderunning in the same security domain can retrieve the user’s identity fromthere. So for the Servlet Gateway this means that the gateway code canactually find out about the user who’s communicating with it. It then passesdown this identity by proprietary means to Content Manager which hence canleverage USER PRINCIPAL in LDAP Namespaces directly or through thetrusted signon provider (TSP) for USER PRINCIPAL (classcom.cognos.cps.bseries.auth.CPSTrustedSignon up) which still is providedwith IBM Cognos 8 BI. This provider consumes USER PRINCIPAL andtransfers its content into REMOTE USER which can be consumed by IBMCognos 8 Namespaces like LDAP,Active Directory and IBM Cognos Series7.It’s common though for application servers, that they populateREMOTE USER automatically as well as USER PRINCIPAL so the need for theUSER PRINCIPAL approach is diminished and as a best practice approachconfiguration should rely on REMOTE USER instead as it requires no extraTSP and hence only one Namespace being configured.2.4SSO between a 3rd party portal and IBM Cognos 8 BIFor SSO scenarios with portal servers Servlet Gateways can offer a bridgebetween portal security, which is integrated with application server securitymost of the time, and IBM Cognos 8. So a user’s identity is passed from theportal to an application sever where a Servlet Gateway can be deployed tofetch it for use with IBM Cognos 8.By putting the Servlet Gateway under the application server security againthe users identity is provided in USER PRINCIPAL or/and REMOTE USER.The Servlet Gateway will either read USER PRINCIPAL or passREMOTE USER depending on configuration and thus proxy the user to IBMCognos 8.Cognos Proprietary Information
Deploying a secured IBM Cognos 8 Servlet Gateway in IBM WebSphere 68The most common appliance for this scenario is in the WebSphere world,where the WebSphere Portal security is closely interweaved with WebSpheresecurity. WebSphere offers a proprietary security token which can be used topass identities from one WebSphere server to another called LTPA token andthus enables SSO between multiple WebSphere servers. IBM Cognos 8cannot leverage LTPA tokens directly since there’s no way to decrypt thosetokens without a proper API provided by IBM which is not part of Cognos 8.Following the approach above however, it’s still possible to leverage LTPAtokens indirectly by grabbing the user’s identity on an IBM WebSphereapplication server through the use of a Servlet Gateway, regardless of whichWebSphere instance actually did the authentication.Cognos Proprietary Information
Deploying a secured IBM Cognos 8 Servlet Gateway in IBM WebSphere 693 Deploy a secured Servlet GatewayCaution: you cannot deploy the SGW into the same server instance as p2pdapplication. You will experience classloader issues which are a result of IBMCognos 8 not being completely J2EE compliant. This is not an issue but bydesign.To deploy a Servlet Gateway it is mandatory to use a server instance whereno p2pd application is deployed.The rundown of steps is4. Prepare the build processFirst the Servlet Gateway web application, an EAR or WAR file, needsto be build. There are some preparations to take to build theapplication file in the right fashion.5. Build the actual application file6. deploy the application file to WebSphereIn the following sections bullet-point style instructions on the steps areprovided3.1Prepare the build process Go to C8 INSTALL/war/gateway directory and open a shell.(IBM Cognos 8 MR1 release only)The batch file to build the Servlet application file has a flaw resulting in thebuild to fail, it still references to the java version used previously.This is fixed as of the IBM Cognos 8 MR2 release!Simply edit the build.bat/.sh to read@echo off.\.\bin\jre\1.3.1\bin\java ./bin/xercesImpl.jar"org.apache.tools.ant.Main %*Instead of@echo off.\.\bin\jre\1.4.2\bin\java ./bin/xercesImpl.jar"org.apache.tools.ant.Main %* Edit the build.xml file to minimize the war/ear file size by excluding someunneeded or misplaced content.This refers to the webcontent/samples directory which contains DBCognos Proprietary Information
Deploying a secured IBM Cognos 8 Servlet Gateway in IBM WebSphere 610sample data and sample models which are just misplaced in the WAR/EAR fileas they are not needed to run the gateway in any form.Further on you can exclude documentation completely (for in house testing ordevelopment boxes) or strip languages you don’t need like Japanese orGerman and thus dramatically reduce the size of the WAR file which is aboutto be created and thus speed up the deployment.As of release IBM Cognos 8 MR2 there are new options provided in theApplication file build wizard of Cognos Configuration which aim for the samepurpose. However you can only either exclude documentation and samplescompletely or leave them in as a whole. So the author suggests applying themodifications described for best results.To exclude uneeded/unwanted files from the web application file add thefollowing at line 76 inside the fileset element. (the blanks before theclosing “/” are intentional !) war warfile "temp/war/ServletGateway.war"webxml "war/gateway/web.xml" fileset dir "webcontent" exclude name "index.html"/ exclude name "default.html"/ !-- exclude Samples subfolder since it doesn't belong here anyway-- exclude name "samples/" / !-- minimize war/ear file size by excluding unneeded documentationand online-help languages. Just uncomment the resectiveline to exclude the subdirectory named there -- !--exclude name "documentation/" /-- exclude name "documentation/ja/" / exclude name "documentation/de/" / !--exclude name "documentation/en/" /-- exclude name "documentation/fr/" / /fileset Edit the web.xml file to include a security constraint for the Servlet.To put the Servlet under application server security a security constraint forthe web resource (the URL to access the Servlet) has to be defined. Thesyntax is defined as part of the Servlet specification from SUN. The Fileweb.xml contains the declaration of all the Servlets in the web applicationwhich is to be build based on it, implying a WAR file is used.If for some reason it has to be an EAR file, which would be absolutelyequivalent regarding functionality, see Appendix B on how to do this.Since the EAR file requires modifications to an additional file and involves theuse of a 3rd party tool the author suggests sticking with the war file.The web.xml should look like this (additions are marked red) ?xml version "1.0" encoding "UTF-8"? !DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD WebApplication 2.3//EN" "http://java.sun.com/dtd/web-app 2 3.dtd" web-app display-name Cognos 8 Servlet Gateway /display-name description The Cognos 8 Servlet Gateway /description servlet servlet-name ServletGateway /servlet-name Cognos Proprietary Information
Deploying a secured IBM Cognos 8 Servlet Gateway in IBM WebSphere 611 !-- CUSTOM CLASSLOADER RELATED CONFIGURATION.DO NOT CHANGE -- servletclass com.cognos.pogo.isolation.ServletWrapper /servlet-class init-param param-name servlet-class /param-name param-value com.cognos.servletgateway.Gateway /param-value /init-param init-param param-name classLoaderName /param-name param-value SGVeryOwnClassLoader /param-value /init-param !-- END OF CUSTOM CLASSLOADER RELATED CONFIGURATION -- init-param !-- Should the gateway encrypt passwords? -- param-name encryptPassword /param-name !-- "true" or "false" -- param-value true /param-value /init-param init-param !-- The maximum number of connectionsin the pool -- param-name maxPoolSize /param-name !-- A non-zero positive integer -- param-value 20 /param-value /init-param init-param !-- The number of seconds between pings to dispatcher -- param-name pingPeriod /param-name !-- A non-zero positive integer -- param-value 180 /param-value /init-param init-param !-- The number of seconds between checking the startup filefor changed dispatchers -- param-name fileCheckPeriod /param-name !-- A non-zero positive integer -- param-value 30 /param-value /init-param init-param !-- Tell CAF that this is the gateway -- param-name cafintegration /param-name param-value gateway /param-value /init-param init-param !-- Should the Gateway URL decode incoming cookies?Use 'true' if you're running iPlanet or Sun ONE webserverand 'false' otherwise -- param-name urldecodeCookies /param-name !-- "true" or "false" -- param-value false /param-value /init-param init-param !-- Should the status page be available via "/status"PATH INFO? -- param-name enableStatusPage /param-name !-- "true" or "false" -- param-value false /param-value /init-param !-- Override the dispatcher URL for debugging purposes init-param param-name dispatcherURLOverride /param-name paramvalue http://localhost:9300/p2pd/servlet/dispatch /param-value /init-param Cognos Proprietary Information
Deploying a secured IBM Cognos 8 Servlet Gateway in IBM WebSphere 612-- load-on-startup
WebSphere security and IBM Cognos 8 directly or - more common – for single signon between IBM WebSphere Portal and IBM Cognos 8. 1.2 Applicability While for creation of this document IBM Cognos 8 BI MR2 and IBM WebSphere 6.0.2 were used the technique described in here applies to all versions of IBM Cognos 8.
found in the Cognos Connection User Guide, a link to which can be found on the Resources tab in the IIT Cognos portal. 2. About the Cognos Portal The IIT Cognos Portal (aka "Cognos Connection") allows users to access Cognos reports and launch the various Cognos tools for authoring reports and queries based on data stored
2 IBM Cognos Business Intelligence Version 10.1.1: Using IBM Cognos Series 7 and IBM Cognos Business Intelligence in the Same Environment. Chapter 2. Set up Interoperability Between IBM Cognos Series 7 and IBM Cognos BI Set up interoperability before and during migration to provide continuity to your
IBM Cognos ReportNet Model Upgrade 367 Verifying the Model in IBM Cognos ReportNet 367 Opening and Upgrading the Model 368 Verifying and Repairing the Upgraded IBM Cognos ReportNet Model 370 IBM Cognos 8.1 or 8.2 Model Upgrade 374 Verifying the Model in IBM Cognos 8.1 or 8.2 374 Opening and Upgrading the IBM Cognos 8.1 or 8.2 Model 375
In this guide, the current Cognos version 10 user interface is called the Cognos 10 UI. The Cognos version 11 user interface is called Cognos 11 UI. . Query Studio, and Workspace. HINTS The green dot displayed in the Cognos 11 UI indicates a UI hint is available for that feature. Clicking the green dot opens a brief description of the feature.
IBM Cognos Analysis for Microsoft Excel 10.2.0 has feature enhancements in several key areas: v IBM Cognos Analysis for Microsoft Excel is now integrated with IBM Cognos TM1 data sources. Use IBM Cognos Analysis for Microsoft Excel with IBM Cognos TM1 data sources to enter and write back values to TM1 cubes. For more information, see
used outside of Cognos. The xml can be opened, modified, or copied from one Cognos environment to another. The follow steps can be used to copy your Cognos 10 BI Reports over to Cognos 11 Analytics: 1) In Cognos 10 - In order to view a reports specification (spec), open it up to view in Reports Studio.
Cognos Framework Manager Primary modeling tool in Cognos ReportNet, Cognos 8, Cognos 10 Still used widely in Cognos Analytics 11 some customers only use packages from FM IT centric tool used by developers and data modelers Not really meant for 'end users' but some have tried From an era of the 'single source of truth DWH'
LITERARY(THEORY(An(introduction((!! ClassReader! Spring2014!! Prof.DavidMiralles,PH.D.! University!of!Oregon!! Universidad!Autónoma!de!Querétaro!
